Mailfence threat model

We believe that every user has the right to know exactly what threats Mailfence – a secure and private email suite is designed to PROTECT or NOT PROTECT you from. That’s why we’ve composed this generic Mailfence threat model.

‘Mailfence’ will PROTECT YOU against:

Eavesdropping on your internet connection – When you are using Mailfence, the connection between your computer and the Mailfence server is protected by (SSL/TLS) encryption. That means if someone is eavesdropping on your Internet connection, they will not be able to read the traffic that you send to our website. This is especially important if you are using your computer from a public or office network, or if you are using a wireless connection that is not encrypted.

Mass surveillance – Perfect for an individual (or corporation) that does NOT want the government (or other non-state actors) to have access to all of their emails at any time. Mailfence does not operate like the gigantic American players (Google, Microsoft, Yahoo…) who continuously scan and archive all of your conversations. Our end-to-end encryption technology (E2EE) is designed to guard you against anyone who is trying to snoop your email privacy by giving absolute confidentiality and integrity to all of your messages – where only a designated recipient can read the content of a message via decrypting it through his/her private key.

Message Forgery / Tempering Attacks – With digital signatures, ‘Mailfence’ gives you the possibility of having absolute authenticity and non-repudiation – thereby making it the only solution which provides the complete CIA triad to its users and makes it an ideal platform for not only privacy enthusiasts but also for professionals (doctors, engineers, lawyers, journalist, teachers, students…) to exercise their online liberty to the fullest.

Compromised Account – If your account password gets compromised – the protective layer of passphrase over your private key will restrict an attacker to perform any crypto-activity (send any encrypted and/or digitally signed messages, performing operations on your key store…) and to read any of the encrypted emails that have been sent to you by other people. Thereby preserving the confidentiality and integrity of your encrypted content to the max.

Data Theft – Let’s say if a strong adversary (state or even a non-state actor) somehow breaches our servers to get hold of our data (which is highly unlikely to happen) – all of your encrypted content will remain intact and no adversary will be able to decrypt it, as it will require your private key that has been protected by your passphrase (which you and only you knows). Also, to reduce the odds of cracking-down a private-key by using heavy-state machinery & resources, the default length of every generated Key-Pair has been set to 4096 bits (being generated with strong entropy) – some folks will say it only provide a bit of extra security comparing to 2048 bits – well, we say that we don’t mind grabbing that extra).

‘Mailfence’ will NOT PROTECT YOU against:

A compromised device – If your device has been compromised by a malware, keylogger etc (which is not very difficult to perform these days, especially if your adversary is a state actor) then E2EE and other security measures are useless. In fact your adversary can use your account to further spoof your identity and damage your online presence on a large scale. (keep an eye on ‘tips’ in our blog to follow better practices)

Compromised or forgotten passphrase – This is yet another and unfortunately a common case. If your passphrase has been compromised (let’s say via a malware, keylogger or through the use of bad practices – writing it somewhere, sending it in clear text, ……) or you simply have forgotten it – then you’ll be in serious trouble and we will not be able to help you in anyway, except to urge you to change your passphrase or simply revoke that keypair and use a new one. (see ‘How to‘ for more details)

A high level Man-in-the-Middle (MITM) attack – High level Man-in-the-Middle attack is a kind of attack where an adversary (typically a state actor) can create a clone of Mailfence in an extremely sophisticated manner (forging our certificate – which is very hard but not impossible, authenticating user’s on false grounds, etc.) and somehow also faking all the services that Mailfence provides in order to fool you into confusing us with them for compromising your data at large. Provided the complexity and difficulty of such an attack – it is often considered as a threat only from high-level adversaries (state actors…). Due to our efforts into getting a CA certificate (having no american company in the chain etc) and providing you with the possibility of verifying our SSL/TLS certificate, we have guarded our defenses to a maximum possible extent.

Heavy state-funded/APT attacks (DDoS, breaking the crypto, planting a backdoor etc.) – DDoS (a distributed Denial of Service attack) is usually aimed at shutting-down an entire service (website) thereby forcing their users to not use it anymore. In our more than 15 years of operating a cloud messaging service, we have already been into certain situations of this kind and have done our best to mitigate such a threat. Other common state funded and resourced attacks like (Breaking the crypto, planting a backdoor, sending you a bad Javascript code, …etc) can also potentially happen – as the saying goes ‘Nothing is impossible’. However, we on our side have taken every (humanly) possible measure to mitigate such kind of threats.

Before any final thoughts – we would like to state clearly that Mailfence should not be used for any illegal activity and that we comply with the Belgian Law (see our Privacy Policy for more details). Consequently, our service is ideal for protecting sensitive business communications, private & personal data – for both professional and personal users of all sort (doctors, engineers, lawyers, journalists, teachers, students…).

Now, Mailfence is a state-of-the-art solution which provides (pretty) good privacy and security. We do realize there are users who may have specific adversaries that are focusing enormous resources towards their targets – and that’s where even crypto might not do much as this comic will possibly illustrate.

‘Privacy is a right, not a feature’ – is the belief that lies at the very foundation of Mailfence and we’ve done all we can to stand by this statement.

I think he is bothered by the twentyfifteen-fonts-css stylesheet that links back to fonts.googleapis.com/css?family=Noto+Sans%3A400italic%2C700italic%2C400%2C700%7CNoto+Serif%3A400italic%2C700italic%2C400%2C700%7CInconsolata%3A400%2C700&subset=latin%2Clatin-ext

I’m no expert but privacy badger says it doesn’t appear to track. Who knows with Google though